DRI: Amendments to the Law on Information Security pose a threat of unrestricted control

The Democracy Research Institute is responding to the amendments to the Law of Georgia on Information Security and believes that they uncontrollably increase the authority of the State Security Service and its operative-technical agency, a legal entity of public law, which may lead to the total control of state bodies, local self-governments, judicial and legislative branches of government, electronic communications companies.

The proposed amendments indefinitely increase the circle of subjects of critical information system. It is especially noteworthy that the list includes legal entities of public law. According to the draft law, the list of critical information system subjects and the criticality classification for the respective subjects shall be approved by an ordinance of the Government of Georgia. Under circumstances when the legislative definition of critical information subjects is extremely general and there are no clear criteria for criticality classification, there is a real risk of abuse of power and arbitrariness. This needs to be paid particular attention since any legal entity of private law may fall under the regulation of the law on the basis of the ordinance of the Government of Georgia.

No less important is the exercise of virtually unlimited control by the executive government over the information systems and information assets of local self-governments, courts and parliament. The agency is granted the right to uncontrolled inspection of information assets on the ground of inspection of information-technological infrastructure. According to the currently applied law, an information asset is defined as "All information and knowledge (particularly, technological means for the storage, processing, and transfer of information, staff and their knowledge of information processing) that is valuable to the critical information system subject." Therefore, in the absence of proper control mechanisms over the State Security Service and its subordinate operative-technical agency, the risks of uncontrolled access to personal communication, records and personal information of the people employed in these institutions increase.

The bill also sets different requirements for information security managers, the appointment of which is required in all critical information subjects. In particular, according to the bill, information security managers can be defined as persons who have access to state secrets (this requirement does not apply to legal entities of private law). According to the Law of Georgia on State Secrets, the decision on access to information shall be made with the consent of an authorized subdivision of the State Security Service of Georgia.  This regulation empowers the State Security Service to individually determine the list of persons who, in turn, will later determine whether the agency should have access to the subject’s information asset (valuable information for critical information system subject, including the organization's accounting system, staff, their knowledge of information processing, etc.) in the event of an alleged information security incident.

It is also vague why three different bodies are equipped with similar mandates to achieve one and the same goal, which may lead to irrational spending of state resources.

In addition, in some cases, the bill allows for the restriction of fundamental human rights and freedoms not on the basis of legislation, but on the basis of a subordinate normative act.

Based on the above, the Democracy Research Institute considers that the amendments to the Law of Georgia on Information Security include the risks of total control and mass human rights violations and grants the State Security Service an unjustifiably broad mandate to access information assets necessary for the functioning of state bodies, local self-governments, judicial and legislative branches of government, electronic communication companies and legal entities of private law, instead of strictly defining the scope of its activity.